If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Always a good reason to remove access when you fire someone

Nye goes on to explain that access to Fannie Mae's computers for contractors' employees was controlled by the company's procurement department, which did not terminate Makwana’s computer access until late in the evening Oct. 24.

Five days later, another Unix engineer discovered the malicious script embedded within a pre-existing, legitimate script. According to a federal affidavit, the legitimate script runs every morning at 9 a.m. and validates that there are two storage area network paths running correctly and operationally through all Fannie Mae servers. The malicious script was at the bottom of the legitimate script and was separated by roughly one page of blank lines in an apparent attempt to hide the malicious script within a legitimate script.

If you actually work in IT, and have a brain, aren't you going to see the writing on the wall, and take a few "precautions" in case the parting of the ways isn't to your satisfaction?

That stuff was installed way before he got fired, but there are still scumbags getting big dollars because they are the big cheeses and know jack $h1t about IT?

They are the ones who screwed the basic security? They had no model.

Way too PR and plausible to the idiot public for me...............I am getting old

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Even if you have policy to disable accounts "immediate upon termination", compliance is not always 100&#37;.

I run a daily diff (acutally sdiff... easier to read) on all production directories comparing yesterday's diff to today's. Looking for any source changes which are compared to change mgt reports. Always manage to catch a few "emergency" changes that have downstream impacts and an occasional rouge contractor/employee.

Federal officials said Makwana was terminated because on or about Oct. 10 or Oct. 11 he created a computer script that changed the setting on the Unix servers without getting the nod of his supervisor. That script was not malicious.

So, you let junior contractor's staff modify your production environment on the fly, and think that the solution is to make sure that their access is cancelled when they leave?

Am I the only person who sees that there is a somewhat larger governance and security issue here?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Am I the only person who sees that there is a somewhat larger governance and security issue here?

Your not alone old man.

The business stakeholders in MANY of the smaller shops I have worked in refuse to fund the necessary infrastructure (e.g. governance, change mgt) and then when their inaction causes a problem, they just blame the IT guy.

But I'm not complaining. If they were too efficient and effective, they wouldnt need me.

OK, I agree that it is not uncommon in smaller shops and in manufacturing, engineering retail and the like, where IT is not considered that important.

Fannie Mae is a major financial institution............... the rules should be different there.

Also the rules for contractors should be different. The one thing you are sure of is that they will leave at the end of their contract, amicably or otherwise.

They should not have direct access to the production environment and their activities should be reviewed by a permanent member of staff to ensure that they are appropriate, properly documented and fully understood.

This isn't just a security issue, it is one of basic functionality. How can you support, maintain and enhance things if you don't know how they work? You might let your own staff get away with a few "emergency adjustments", not that I have ever done such a thing (much ) but you must never let contractors do it unless, of course, you have outsourced. In the case of outsourcing you should satisfy yourself that the contractor has suitable processes and procedures to control their staff and protect your systems before taking them on?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

However, after his termination, Makwana's access to the computer systems did not immediately end, and he retained full access rights until at least 10 p.m. that evening, according to an FBI affidavit. Makwana used his extended legitimate access to clear out all logs that revealed his access to the server, eliminating any "footprint" of his malicious activities on Oct. 24. He then gained launch code that would allow him access to Fannie Mae's servers remotely. Upon gaining root access to Fannie Mae's system, Makwana created a file in which he developed the malicious code on Oct. 25, the day after his termination.

"This is definitely an access governance control failure," Cleary said.

Absolutely!

Cleary said that contracted employees will likely become a bigger security threat

That is a bit obvious? the more contractors you have the greater the probability that a contractor will be a security threat. Having said that, contractors expect to move on, so are much less likely to be disgruntled than a permanent employee who is laid off?

And again, an employee looking for another job is likely to want a good reference, which a federal indictment is not?

An examination of Makwana's e-mails in the days before he created the malicious code indicated that he instructed relatives in India not to return to the U.S., the FBI affidavit said.

Looks like he had something in mind prior to the event?

He then gained launch code that would allow him access to Fannie Mae's servers remotely.

That sentence doesn't really make sense. I suppose it means that he planted a backdoor? This seems like a better description:

Makwana was told of his termination on Oct. 24 at about 2 p.m., after which he surrendered his badge and left the Urbana facility at about 4:45 p.m. that same day, according to an FBI affidavit. However, Makwana's server access was not terminated until 10 p.m. later that evening. Makwana used his extended access to reset the company's servers that would eliminate his "footprint" and impede security alerts that would ordinarily warn Fannie Mae engineers of an intruder's continued access to the servers. Makwana then launched code that would enable him to access the servers remotely, and created the logic bomb the following day, Oct. 25.

It sounds as if he had already created the backdoor? When you fire somebody you have a member of staff remain with them until they leave the premises, and how would he know that he would be able to access the server after he had left?

It would probably be best practice to revoke the authorities before informing the person of their termination. Follow that with an audit of what they have been doing and had access to, which does seem to be what happened, because I don't think that you would discover something like that by accident.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?